NSS uses the Novell Trustee model for controlling access to user data. As an administrator or a user with the Supervisor right or Access Control right, you can use the Files and Folders plug-in to iManager to manage file system trustees, trustee rights, inherited rights filters, and attributes for a file or folder on an NSS volume. A user who has only the Access Control right cannot modify the rights of another user who has the Supervisor right.
IMPORTANT:For more information and alternate methods for configuring file system trustees and attributes for directories and files on NSS volumes, see the OES 2 SP3: File Systems Management Guide.
The volume that you want to manage must be in the same tree where you are currently logged in to iManager.
You must have trustee rights for the volume, folder, and file that you want to manage.
The volume must be a file system that uses the Novell trustee model for file access, such as an NSS volume on OES 2 Linux, an NSS or NetWare traditional volume on NetWare 6.5, or an NCP (NetWare Core Protocol) volume (an NCP share on a Linux POSIX file system) on OES 2 Linux.
In iManager, click > to open the page.
Click the icon to browse and locate volume, folder or file from the Storage objects, then click the name link of the object to select it.
The pathname of the object appears in the field.
View the following properties in three tabs:
|
Properties Tabs |
Description |
For Information |
|---|---|---|
|
Information |
|
See Section 25.7, Viewing or Modifying File or Folder Properties. See Section 25.9, Viewing, Adding, Modifying, or Removing a Directory Quota. |
|
Rights |
|
|
|
Inherited Rights |
|
File attributes determine how the file or folder behaves when accessed by any user. File attributes apply universally to all users. For example, a file that has a read-only attribute is read-only for all users.
Attributes can be set by any trustee with the Modify right to the directory or file, and attributes stay set until they are changed. Attributes do not change when you log out or when you down a file server.
For example, if a trustee with the Modify right enables the Delete Inhibit attribute for a file, no one, including the owner of the file or the network administrator, can delete the file. However, any trustee with the Modify right can disable the Delete Inhibit attribute to allow the file’s deletion.
In iManager, click > to open the page.
Click the icon to browse and locate volume, folder or file from the Storage objects, then click the name link of the object to select it.
The pathname of the object appears in the field. For example:
VOL1:dir1\dirB\filename.ext
Click the tab to view or modify the file or folder attributes. Enable or disable an attribute by selecting or deselecting the check box next to it.
IMPORTANT:Changes do not take effect until you click or . If you click a different tab before you save, changes you make on this page are lost.
The following table defines file system attributes and whether they apply to files, folders, or both files and folders.
|
Attribute |
Description |
Files |
Folders |
|---|---|---|---|
|
Read Only |
Prevents a file from being modified. This attribute is typically used in combination with Delete Inhibit and Rename Inhibit. |
Yes |
No |
|
Archive |
Identifies files and folders that have been modified since the last backup. This attribute is assigned automatically. |
Yes |
Yes |
|
Hidden |
Hides directories and files so they do not appear in a file manager or directory listing. |
Yes |
Yes |
|
Shareable |
Allows more than one user to access the file at the same time. This attribute is usually used with Read Only. |
Yes |
No |
|
Transactional (NetWare) |
Allows a file on an NSS volume or a NetWare Traditional volume to be tracked and protected by the Transaction Tracking System™ (TTS™) for NetWare. For NSS, the TTS attribute for the volume must be enabled in order for this setting to be enforced. TTS is not available for NSS on Linux. |
Yes |
No |
|
Purge Immediate |
Flags a directory or file to be erased from the system as soon as it is deleted. Purged directories and files cannot be recovered. |
Yes |
Yes |
|
Rename Inhibit |
Prevents the directory or filename from being modified. |
Yes |
Yes |
|
Delete Inhibit |
Prevents users from deleting a directory or file. This attribute overrides the file system trustee Erase right. When Delete Inhibit is enabled, no one, including the owner and network administrator, can delete the directory or file. A trustee with the Modify right must disable this attribute to allow the directory or file to be deleted. |
Yes |
Yes |
|
Copy Inhibit (NetWare) |
Prevents users from copying a file. This attribute works only for clients using Macintosh operating systems to access NSS volumes on NetWare. This attribute overrides the trustee Read right and File Scan right. A trustee with the Modify right must disable this attribute to allow the file to be copied. |
Yes |
No |
If you modified any settings, click or to save your changes.
File system trustees, trustee rights, and inherited rights filters are used to determine access and usage for directories and files on NSS volumes on OES 2 Linux, NCP volumes on OES 2 Linux, and NSS and NetWare Traditional volumes on NetWare 6.5 SP8. If you modify any settings, you must click or to save the changes.
A trustee is any Novell eDirectory object (such as a User object, Group object, Organizational Role object, or other container object) that you grant one or more rights for a directory or file. Trustee assignments allow you to set permissions for and monitor user access to data.
In iManager, click , then click to open the page.
On the page, select a volume, folder, or file to manage.
For instructions, see Section 20.1.2, Viewing Properties of a File or Folder.
Click the tab to view the trustees, trustee rights, and inherited rights filter for the selected volume, folder, or file.
Add trustees.
Scroll down to the field.
Use one of the following methods to add usernames as trustees:
Click the icon, browse to locate the usernames of the users, groups, or roles that you want to add as trustees, click the name link of the objects to add them to the list, then click .
Click the icon to select usernames from a list of users, groups, or roles that you recently accessed.
Type the typeless distinguished username (such as username.context) in the field, then click the (+) icon.
The usernames appear in the Trustees list, but they are not actually added until you click or . Each of the usernames has the default Read and File Scan trustee rights assigned.
On the page, click to save the changes.
Remove trustees.
Scroll down to locate and select the username of the user, group, or role that you want to remove as a trustee.
Click the (red X) icon next to the username to remove it as a trustee.
The username disappears from the list, but it is not actually removed until you click or .
On the page, click to save changes.
Administrator users and users with the Supervisor right or the Access Control right can grant or revoke file system trustee rights for a volume, folder, or file. Only the administrator user or user with the Supervisor right can grant or revoke the Access Control right.
In iManager, click , then click to open the page.
On the page, select a volume, folder, or file to manage.
For instructions, see Section 20.1.2, Viewing Properties of a File or Folder.
Click the tab to view the trustees, trustee rights, and inherited rights filter for the selected volume, folder, or file.
Scroll to locate the username of the trustee you want to manage.
In the check boxes next to the trustee name, select or deselect the rights you want to grant or revoke for the trustee.
IMPORTANT:Changes do not take effect until you click or . If you click a different tab before you save, any changes you have made on this page are lost.
|
Trustee Right |
Description |
|---|---|
|
Supervisor (S) |
Grants the trustee all rights to the directory or file and any subordinate items. The Supervisor right cannot be blocked with an inherited rights filter (IRF) and cannot be revoked. Users who have this right can also grant other users any rights to the directory or file and can change its inherited rights filter. Default=Off |
|
Read (R) |
Grants the trustee the ability to open and read files, and open, read, and execute applications. Default=On |
|
Write (W) |
Grants the trustee the ability to open and modify (write to) an existing file. Default=Off |
|
Erase (E) |
Grants the trustee the ability to delete directories and files. Default=Off |
|
Create (C) |
Grants the trustee the ability to create directories and files and salvage deleted files. Default=Off |
|
Modify (M) |
Grants the trustee the ability to rename directories and files, and change file attributes. Does not allow the user to modify the contents of the file. Default=Off |
|
File Scan (F) |
Grants the trustee the ability to view directory and filenames in the file system structure, including the directory structure from that file to the root directory. Default=On |
|
Access Control (A) |
Grants the trustee the ability to add and remove trustees for directories and files and modify their trustee assignments and inherited rights filters. Default=Off |
Click or to save changes.
File system trustee rights assignments made at a given directory level flow down to lower levels until they are either changed or masked out. This is referred to as inheritance. The mechanism provided for preventing inheritance is called the inherited rights filter. Only those rights allowed by the filter are inherited by the child object. The effective rights that are granted to a trustee are a combination of explicit rights set on the file or folder and the inherited rights. Inherited rights are overridden by rights that are assigned explicitly for the trustee on a given file or folder.
In iManager, click , then click to open the page.
On the page, select a volume, folder, or file to manage.
For instructions, see Section 20.1.2, Viewing Properties of a File or Folder.
Click , then scroll down to view the inherited rights filter.
The selected rights are allowed to be inherited from parent directories. The deselected rights are disallowed to be inherited.
In the , enable or disable a right to be inherited from its parent directory by selecting or deselecting the check box next to it.
Click or to save the changes.
Effective rights are the explicit rights defined for the trustee plus the rights that are inherited from the parent directory. The page shows the inheritance path for a trustee for the selected file or folder and the effective rights at each level from the current file or directory to the root of the volume. You can use this information to help identify at which directory in the path a particular right was filtered, granted, or revoked.
In iManager, click , then click to open the page.
On the page, select a volume, folder, or file to manage.
For instructions, see Section 20.1.2, Viewing Properties of a File or Folder.
On the page, click the tab to view the effective rights for a given trustee.
By default, the page initially displays the effective rights for the username you used to log in to iManager.
On the page, click the icon next to the field to browse for and locate the username of the trustee you want to manage, then select the username by clicking the name link.
The path for the selected file or folder is traced backwards to the root of the volume. At each level, you can see the rights that have been granted and inherited to create the effective rights for the trustee.
If you make any changes, click or to save them.